默认 X509TrustManager 和通配符主机名验证？

Question

I am constructing a default X509TrustManager that's gonna be used for hostname validations:

        TrustManagerFactory trustManagerFactory = null;
    try {
        trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init((KeyStore) null);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();

        for (int i = 0; i < trustManagers.length; i++) {
            TrustManager t = trustManagers[i];
            if (t instanceof X509TrustManager) {
                this.defaultTrustManager = (X509TrustManager) t;
                return;
            }
        }
    } catch (NoSuchAlgorithmException | KeyStoreException e) {
        throw new CelleryCellSTSException("Error while setting trust manager", e);
    }

However, I can't find out anywhere if this is gonna support wildcard certificates as well or do I need to build a custom trust manager just for that? Is there any documentation somewhere available on this, I would like to read more how wildcard validation really works if it supported? I'm using java 8 and 11, thanks.

Answer 1

In Java 7 up the TrustManager's created by TrustManagerFactory do hostname checking if (and only if) an 'endpoint identification' algorithm is set for the particular connection being made (more exactly, the SSLSocket or SSLEngine ), see here for socket and here for engine . The supported algorithms HTTPS and LDAPS are actually implemented here (with HTTPS internally called TLS) which you can see handles valid wildcards (only in DNS name, not IP address) but rejects invalid ones.

HttpsURLConnection and 11-up java.net.http.HttpClient use the 'HTTPS' algorithm. For other ways of invoking JSSE, either your code or the relevant middleware must set endpoint-id if you want it done.